Upload
amazon-web-services
View
520
Download
1
Tags:
Embed Size (px)
DESCRIPTION
The AWS cloud infrastructure has been architected to be one of the most flexible and secure cloud computing environments available today. In this session, we’ll provide a practical understanding of the assurance programs that AWS provides; such as HIPAA, FedRAMP(SM), PCI DSS Level 1, MPAA, and many others. We’ll also address the types of business solutions that these certifications enable you to deploy on the AWS Cloud, as well as the tools and services AWS makes available to customers to secure and manage their resources.
Citation preview
AWS Government, Education, & Nonprofits Symposium
Canberra, Australia | May 20, 2014
Security as an enabler – improving security with the AWS cloud Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services
AWS Region US-WEST (N. California) EU-WEST (Ireland)
ASIA PAC (Tokyo)
ASIA PAC (Singapore)
US-WEST (Oregon)
SOUTH AMERICA (Sao Paulo)
US-EAST (Virginia)
GOV CLOUD
ASIA PAC (Sydney)
AWS has Regions across the globe – including Sydney
You can stay onshore in Australia with AWS
AWS Sydney Region Multiple availability zones
You can improve your security with the AWS cloud
AWS Founda;on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca;ons
Client-‐side Data Encryp8on
Server-‐side Data Encryp8on
Network Traffic Protec8on
Pla@orm, Applica8ons, Iden8ty & Access Management
Opera8ng System, Network & Firewall Configura8on
Customer content
Custom
ers
You can deploy a consistent security model every time
Customers control their level of security and compliance IN
the Cloud
AWS is responsible for the security OF
the Cloud
You can build everything to be resilient and fault tolerant
AWS operates scalable, fault tolerant services Build resilient solu8ons opera8ng in mul8ple datacenters AWS helps simplify ac8ve-‐ac8ve resilient solu8ons
All AWS facili8es are always on No need for a “Disaster Recovery Datacenter” when you can have resilience Every AWS facility managed to the same global standards
AWS has robust connectivity and bandwidth Each AZ has multiple, redundant Tier 1 ISP Service Providers Resilient network infrastructure
Everything can have fine-grained network security Av
aila
bilit
y Zo
ne A
Avai
labi
lity
Zone
B
You control your VPC address range • Your own private, isolated
section of the AWS cloud • Every VPC has a private IP
address space you define • Create your own subnets and
control all internal and external connectivity
AWS network security • AWS network will prevent
spoofing and other common layer 2 attacks
• Every compute instance gets multiple security groups - stateful firewalls
• Every subnet gets network access control lists
Create multi-tier architectures every time VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump host
10.0.4.0/24
EC2 App Log
EC2 Web
Load balancing
Firewall every single compute instance VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App
“Web servers will accept Port 80 from load balancers”
“App servers will accept Port 8080
from web servers”
“Allow SSH access only from from Jump Hosts”
Log
EC2 Web
Load balancing
Enable network access control on every subnet VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
10.0.3.0/24
EC2
10.0.5.0/24
Jump
10.0.4.0/24
EC2 App Log
EC2 Web
“Deny all traffic between the web server subnet and the database
server subnet”
Load balancing
Control every Internet connection VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Internet Gateway
Control Internet routing • Create Public subnets and
Private subnets
• Implement DMZ architectures as per normal best practices
• Allocate static Elastic IP addresses or use AWS-managed public IP addresses
Load balancing
Connect in private to your existing datacentres VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Use Internet VPNs or use AWS Direct
Connect
Your premises
Load balancing
You can route to the Internet using your gateway VPC A - 10.0.0.0/16
Avai
labi
lity
Zone
A
10.0.1.0/24
10.0.2.0/24
EC2
10.0.3.0/24
EC2
10.0.4.0/24
EC2 App
EC2 Web EC
2 Web EC
2 EC2 Web
Use Internet VPNs or use AWS Direct
Connect
Your premises
Load balancing
Create flexible multi-VPC hybrid environments
Your organisation
Project Teams Marketing
Business Units Reporting
Digital / Websites
Dev and Test
Redshift EMR
Analytics
Internal Enterprise
Apps
Amazon S3
Amazon Glacier
Storage/Backup
Every website can absorb attacks and scale out
Amazon S3
Distributed attackers
Customers
Customers
Route53
Sydney region CloudFront
Your VPC
WAF WAF WAF WAF
ELB ELB
ELB ELB
App App App App
Auto Scaling
Auto Scaling
Auto Scaling
Auto Scaling
Encrypt your Elas8c Block Store volumes any way you like
• Many free u8li8es, plus Trend, SafeNet and other partners offer
high-‐assurance solu8ons
Amazon S3 offers either server or client-‐side encryp8on
• Manage your own keys or let AWS do it for you
RedshiR has one-‐click disk encryp8on as standard
• Encrypt your data analy8cs
• You can supply your own keys
RDS supports transparent data encryp8on (TDE)
• Easily encrypt sensi8ve database tables
You can encrypt your sensitive information everywhere
DBA
Tamper-resistant customer controlled hardware security modules within your VPC • Industry-standard SafeNet Luna devices. Common Criteria
EAL4+, NIST FIPS 140-2 certified • No access from Amazon administrators who manage and
maintain the appliance • High availability and replication with on-premise HSMs
Reliable & Durable Key Storage • Use for transparent data encryption on self-managed
databases and natively with AWS Redshift • Integrate with applications using Java APIs • Integration with marketplace disk-encryption and SSL
Store your encryption keys securely in CloudHSM
Use your own HSMs if you want
Your premises
Applications
Your HSM NAT CloudHSM NAT CloudHSM
Volume, object, database encryption
Signing / DRM / apps
EC2
SYNC
EBS
S3
Amazon S3
Amazon Glacier
You can enforce consistent host security
Launch instanc
e EC2
AMI catalogue Running instance Your instance
Hardening
Audit and logging
Vulnerability management
Malware and HIPS
Whitelisting and integrity
User administration
Operating system
Configure
instance
You control the configura8on of your servers Harden operating system and platforms to your own spec Use host-based protection software • Apply ASD Top 35 mitigation strategies! Think about how you will manage administrative users • Restrict access as much as possible Build out the rest of your standard security environment • Connect to your existing services, e.g. SIEM
Control access and segregate duties everywhere
Region
Internet Gateway
Subnet 10.0.1.0/24
Subnet 10.0.2.0/24
VPC A - 10.0.0.0/16
Availability Zone
Availability Zone
Router
Internet
Customer Gateway
You get to control who can do what in your AWS environment and from where Fine-‐grained control of your en8re cloud environment with two-‐factor authen8ca8on Integrated with your exis8ng corporate directory using SAML 2.0
AWS account owner
Network management
Security management
Server management
Storage management
Build and run
Full visibility of your AWS environment • CloudTrail will record access to API calls and save logs in
your S3 buckets, no matter how those API calls were made
Who did what and when and from what IP address • Support for many AWS services and growing - includes
EC2, EBS, VPC, RDS, IAM and RedShift • Easily Aggregate all log information Out of the box integration with log analysis tools from AWS partners including Splunk, AlertLogic and SumoLogic
Get consistent visibility of logs that you can monitor
You get to do all of this in DEVELOPMENT TESTING PRE-PRODUCTION LIVE
Lets hear from an AWS customer who has done it
Bruce Haefele Chief Architect Heath Direct Australia
Delivering health services on AWS
Who we are and what we do
We isolate environments into VPCs
Dev Int
Test Staging Prod.
Tools Admin Corp.
Sydney region
HSM Appliance
External Datacenter Provider
VPN
We isolate components within each VPC
Avai
labi
lity
Zone
A
EC2 Web EC
2 API Port.
App.
IAM Vuln.
PII Log
SIEM
Mon.
Sec. Man.
Enc. Man.
De-id
Auth.
Sec. Data
Public Unclassified Sensitive / Health
Web
WAF
API. Gate.
ESB
Services we use in the AWS cloud
Dynamo DB RDS
Elastic Network Interface
EBS
Elastic Load Balancer
Glacier
VPC
Storage Gateway
EC2 Cloud Formation AWS IAM Autoscaling Elastic IPs
Route 53
Cloudwatch
S3
Cloudfront VPC VPN
Things you should think about
• Start small and experiment • Rethink your approach to your infrastructure
• Data classifica8on • What AWS services you can use and what you have to build
• Defense in depth • Where and how to encrypt
• What to log, backup strategies, archive and retrieval
• How to federate and integrate – levels of trust
• Privileged access • Compliance • Vendor licensing models • Financial management
Read AWS security whitepapers, tips and good practices • http://blogs.aws.amazon.com/security • http://aws.amazon.com/compliance • http://aws.amazon.com/security • Risk and compliance, best practices, audit guides and
operational checklists to help you before you go live • Workshop solu8ons with an AWS solu8ons architect, including me! • Get free trials of security from AWS Partners on the AWS marketplace Sign up for AWS premium support • http://aws.amazon.com/support • Get help when you need it most – as you grow • Choose different levels of support with no long-term commitment
Further info and how to get AWS support
THANK YOU Please give us your feedback by filling out the Feedback Forms
AWS Government, Education, & Nonprofits Symposium
Canberra, Australia | May 20, 2014
AWS Government, Education, & Nonprofits Symposium
Canberra, Australia | May 20, 2014
Security as an enabler – improving security with the AWS cloud Stephen Quigg Principal Security Solutions Architect, Asia Pacific Amazon Web Services